Legal and Ethical Obligations in Cybersecurity
I recently presented at the Duke Law EDRM on Cybersecurity and Law Firm Understanding Legal and Ethical Obligations. Some questions were asked that we did not have time to answer so I am answering them here for those who are interested.
- How often should a company perform penetration testing?
It is quite common to perform penetration testing annually and vulnerability scanning at regular intervals in between penetration tests. However, depending on the sensitivity of your data, organization size, and risk profile, penetration testing may need to be performed more often. The frequency of testing should be proportional to the risk.
- Is there a short list of systems a company should have in place to protect their data? Essentially, what are the four or five core systems that would need to be in place at a minimum?
Some key technical controls include security monitoring, intrusion detection, vulnerability scanning, antivirus/antispam protection, and data loss prevention. As part of this, a company would want to implement robust authentication methods and strong passwords. A comprehensive protection strategy includes not only technical controls, but also policies, procedures, and training.
- What are some of the most common cybersecurity incidents that companies should be prepared for?
- Employee theft of IP
- Data breach
- Ransomware or other malware
- Business email compromise
- Password compromise
- What data should organizations be preserving in case an investigation is necessary?
Retain server, network device, application, and firewall logs for at least 18 months. Ensure that logs are stored in an alternate location so that clearing the log on the server does not eliminate the evidence. Enable logging of file access, database changes, and database access. It is best to have this data in a system that will normalize log fields and synchronize log time codes.
